How EU sustainability legislation flows down from buyer to supplier
CSRD and CSDDD do not directly regulate most non-EU suppliers. They regulate the EU companies that buy from them. But through reporting obligations, due diligence requirements, and contractual mechanisms, the practical burden lands on suppliers who are not in scope at all. This article explains how that flow-down works and what it means in practice.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
The mechanism most non-EU suppliers do not understand
When EU sustainability regulation is discussed in the context of global supply chains, the conversation usually focuses on which companies are directly in scope. Large EU companies exceeding 1,000 employees and €450 million in net turnover must report under CSRD (with wave 1 entities above 500 employees already reporting). Companies exceeding 5,000 employees and €1.5 billion in turnover must conduct due diligence under CSDDD from 26 July 2029. Smaller companies and non-EU companies below the relevant thresholds are not directly regulated.
This framing is accurate but misleading. It describes who holds the legal obligation. It does not describe who does the work.
The EU companies that are directly subject to CSRD and CSDDD cannot satisfy those obligations from within their own four walls. CSRD requires them to report on sustainability impacts across their entire value chain. CSDDD requires them to conduct due diligence on actual and potential adverse impacts in their upstream operations and supplier relationships. Both obligations require data, evidence, and action that can only come from the non-EU suppliers, manufacturers, and producers further back in the chain.
The legal obligation sits with the EU company. The practical work falls substantially on its suppliers. And the commercial consequences of failing to do that work fall on the supplier, not the EU buyer.
This is the most important and most widely misunderstood dynamic in EU sustainability compliance. Understanding it requires understanding how each regulation generates specific obligations for EU buyers, how those obligations translate into requests on non-EU suppliers, and what happens when those requests cannot be answered.
How CSRD creates supply chain data obligations
The Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464) requires large EU companies to report on their sustainability impacts, risks, and opportunities using the European Sustainability Reporting Standards. The ESRS require reports to cover not just the company’s own operations but its entire value chain: upstream suppliers, downstream distributors, and in some cases end-users.
This value chain scope is not optional or aspirational. It is built into the reporting standards. ESRS E1, which covers climate change, requires disclosure of Scope 3 greenhouse gas emissions, which by definition originate outside the company’s own operations. Scope 3 includes emissions from purchased goods and services, which means the manufacturing processes of the company’s suppliers. ESRS S2, which covers workers in the value chain, requires disclosure of working conditions, fair wages, health and safety, and freedom of association among workers employed by the company’s upstream business partners. ESRS E4, covering biodiversity, requires disclosure of impacts on ecosystems associated with the company’s supply chains, including commodity sourcing.
None of these disclosures can be produced from data held by the EU company alone. The EU company does not know what emissions its suppliers generate in their production processes unless the suppliers tell it. It does not know whether workers in its supplier factories are paid a living wage unless it asks. It cannot assess biodiversity risk in its agricultural supply chain without understanding the land management practices of the producers it buys from.
The result is a data collection obligation that travels upstream through the supply chain. The EU company, in order to report what it is legally required to report, must ask its suppliers for information. Those suppliers may in turn need to ask their own suppliers. A four-tier supply chain with a large EU retailer at the top generates sustainability data requests that can reach a smallholder farmer or a small component manufacturer who has no legal obligations under EU law at all.
What the data requests look like in practice
CSRD data requests from EU buyers arrive in several forms. Some are structured questionnaires attached to annual supplier reviews. Some are requirements to complete assessments on third-party ESG platforms such as EcoVadis, Sedex, or similar services. Some are embedded in new supplier onboarding processes as mandatory fields in procurement systems. Some arrive as new contractual requirements attached to supply agreements at renewal.
The information typically requested includes greenhouse gas emissions data broken down by scope, energy consumption figures, water usage, waste generation and disposal methods, details of the supplier’s own environmental management systems and certifications, workforce statistics including headcounts, turnover rates, and accident rates, information on wage levels and whether they meet local living wage benchmarks, supplier diversity data, details of the supplier’s own supply chain due diligence processes, and any existing sustainability certifications or audit results.
The depth and specificity of these requests varies by the EU buyer’s size, sector, and maturity of CSRD implementation. In the first reporting years, many EU companies are still building their data collection infrastructure and their requests may be relatively broad. As CSRD reporting matures and assurance requirements intensify, the requests will become more specific, more verifiable, and more consequential for supplier selection.
The double materiality assessment and its implications for suppliers
The specific information an EU company must collect from its supply chain depends on the outcome of its double materiality assessment. This assessment determines which ESRS topics are material to the company: which sustainability issues affect its financial performance and which sustainability impacts it generates are significant enough to require disclosure.
For a large food and beverage company, ESRS E4 on biodiversity and ESRS S2 on workers in the value chain are almost certainly material. Its agricultural commodity suppliers will face requests related to both. For a large manufacturing company in a high-emissions sector, ESRS E1 and its Scope 3 emissions requirements will generate detailed requests to component suppliers about their production emissions. For a fast fashion retailer, ESRS S2 working condition disclosures will drive systematic supplier assessments.
The materiality assessment determines the scope of the data collection exercise, not whether data collection will happen. For suppliers to large EU companies in high-impact sectors, the expectation should be that CSRD-related requests will be both comprehensive and recurring.
How CSDDD creates due diligence flow-down
The Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760) operates differently from CSRD. Where CSRD is a reporting obligation, CSDDD is an operational one. It does not only require EU companies to disclose what happens in their supply chains. It requires them to take specific steps to identify, prevent, mitigate, and account for adverse human rights and environmental impacts in their supply chain relationships.
The CSDDD due diligence process, as set out in the directive, involves several sequential steps. The EU company must integrate due diligence into its policies and risk management systems. It must then identify and assess actual and potential adverse impacts in its own operations and those of its direct and indirect business partners. Where adverse impacts are identified, it must take appropriate measures to prevent, mitigate, or bring them to an end. It must establish a complaints and notification mechanism. And it must monitor the effectiveness of its due diligence measures and report publicly on them.
The identification and assessment step directly implicates non-EU suppliers. The EU company cannot identify actual or potential adverse impacts in its supply chain without information about what is happening there. It cannot assess whether a supplier’s labour practices comply with internationally recognised standards without conducting some form of review. It cannot understand environmental risks in an extractive or agricultural supply chain without data about the supplier’s operations.
The measures required to prevent, mitigate, or remedy adverse impacts create further obligations. Where a supplier is found to have inadequate practices, the EU company’s options under CSDDD include requesting contractual commitments from the supplier to improve, providing capacity-building support, adjusting the commercial relationship to reduce exposure to the impact, and ultimately suspending or terminating the relationship if the impact cannot be addressed. All of these involve the supplier directly.
Direct and indirect business partners
CSDDD distinguishes between direct and indirect business partners. Direct business partners are companies with whom the EU company has a direct contractual relationship: typically its tier-one suppliers. Indirect business partners are further back in the chain.
The due diligence obligation covers both, but with different levels of intensity. For direct business partners, the EU company is expected to conduct more thorough risk assessments and implement more direct remediation measures. For indirect business partners, the obligation is to take risk-based measures proportionate to the assessed risk level.
This distinction matters for supply chains with complex structures. A non-EU manufacturer supplying to a tier-one EU intermediary, rather than directly to a large EU brand, may be a direct business partner of the intermediary but an indirect business partner of the brand at the top of the chain. The practical impact depends on where the CSDDD-obligated company sits in the structure.
As CSDDD implementation progresses, EU companies are developing supplier codes of conduct, due diligence questionnaires specific to CSDDD requirements, and audit programmes that extend beyond tier one. Non-EU suppliers at all tiers should expect the reach of these programmes to extend as companies build their compliance infrastructure.
The contractual mechanism
The most direct way EU sustainability obligations reach non-EU suppliers is through contract. As CSRD and CSDDD come into full application, EU companies are updating their standard supplier contracts to include sustainability-related clauses that reflect their own legal obligations.
These clauses take several forms. Some require suppliers to provide specific categories of sustainability data on an annual or periodic basis. Some require suppliers to maintain certifications or complete third-party audits as a condition of the supply relationship. Some require suppliers to implement specific management systems, such as an environmental management system certified to ISO 14001 or a social compliance programme audited against a recognised standard such as SA8000 or SMETA.
The most consequential clauses are those that make the supply relationship conditional on compliance. A supplier that cannot meet the contractual sustainability requirements faces the possibility of contract non-renewal or termination. For EU buyers subject to CSDDD, this is not a preference. The directive requires them to take action where due diligence identifies risks that the supplier cannot or will not address.
The enforceability of these clauses varies by contract law and jurisdiction. But the commercial reality is straightforward: a large EU buyer has significant leverage over its non-EU suppliers, and using contractual mechanisms to extend its own compliance obligations downstream is the most efficient way to satisfy its regulatory requirements. Suppliers who understand this and position themselves as compliance-ready counterparties are in a materially better position than those who do not.
What happens when suppliers cannot respond
The immediate consequence of a supplier being unable to respond to CSRD data requests is that the EU buyer has a gap in its sustainability report. For disclosures where the data is material, that gap is not acceptable. The buyer must either estimate the missing data (which introduces uncertainty and can attract auditor qualifications) or disclose that it was unable to obtain the data and explain why.
As assurance requirements under CSRD intensify over time, gaps in supply chain data become more visible and more consequential. A sustainability report with unexplained data gaps or heavy reliance on estimates will attract more scrutiny from assurance auditors. EU companies that invest in supplier relationships where reliable data is consistently available will have a compliance advantage over those that rely on estimates and explanations.
The consequence of a supplier being unable to respond to CSDDD due diligence requests is more direct. If the EU buyer cannot assess whether the supplier’s practices are adequate because the supplier will not or cannot provide the necessary information, the buyer faces a choice between accepting unresolved compliance risk or changing its sourcing. For large EU companies with regulatory penalties and reputational exposure on the line, that choice is not difficult.
Non-EU suppliers who are not in a position to respond to sustainability data requests are not simply losing a compliance argument. They are making themselves commercially difficult to work with for the most regulated and in many cases highest-value EU buyers. The consequence is not immediate exclusion in most cases. But it is a steady erosion of preferred supplier status, reduced access to new contracts, and increased vulnerability at renewal.
The practical steps for non-EU suppliers
The starting point is understanding what your EU buyers are likely to require and whether you are currently in a position to provide it.
For CSRD data requests, the most commonly required information is greenhouse gas emissions data (particularly Scope 1 and Scope 2 from your own operations), workforce data including headcounts, accident rates, and information on wages relative to local living wage benchmarks, and basic environmental data including energy consumption, water usage, and waste generation. If you do not currently track any of these, starting with the categories most relevant to your sector and most commonly requested by your buyers is the practical first move.
For CSDDD due diligence, the most important preparation is being able to demonstrate that you have adequate human rights and environmental management practices in place. This does not necessarily mean having a formal certification, though certifications provide credibility. It means being able to describe your practices clearly, document them, and show what you do when problems arise. An EU buyer conducting due diligence needs to be able to conclude that the risk of adverse impacts in your operations is being managed. Suppliers who can demonstrate that clearly are significantly easier to clear through a due diligence process than those who cannot.
The contractual step is reviewing your existing supplier agreements with EU buyers for sustainability-related clauses and understanding what they require. New agreements and renewals will increasingly include these clauses, and being aware of their content before signing is significantly better than discovering the obligations after the fact.
The broader strategic step is treating EU buyer sustainability requirements not as a compliance burden but as a signal of where the market is moving. The EU companies that are currently building their CSRD reporting infrastructure and their CSDDD due diligence programmes are the buyers who will be most rigorous about supplier sustainability performance over the next three to five years. Being ahead of their requirements rather than behind them is a competitive position, not merely a compliance one.
Detailed guidance on responding to specific CSRD and CSDDD supplier questionnaires from EU buyers will be published in this series. For context on why EU sustainability regulations create these supply chain obligations, see Why EU sustainability laws affect businesses that are not based in the EU. For an overview of the full EU sustainability regulatory landscape, see EU sustainability regulation in 2026: an overview of what is now in force.
This article is part of the Verdandi EU sustainability regulation series. Verdandi is Citium’s EU sustainability compliance tracker, currently in development. If you want to be kept informed ahead of launch, get in touch.
Subscribe for news updates.
ChatGPT and generic AI tools hallucinate legal facts at high rates. For compliance research this is a liability, not an inconvenience. This article explains why source-anchored RAG with verified official sources is the only acceptable architecture for regulatory intelligence.